In cybersecurity, some of the most important protections aren’t headline-grabbing. They happen quietly, and easily behind the scenes, like tenant hardening.
If your business uses cloud platforms like Microsoft 365 or Google Workspace, this is a practice you need to know about.
What is tenant hardening?
Tenant hardening is the process of securing your cloud environment (or “tenant”) so it’s properly configured for your business and protected against threats.
Think of your tenant as the front door to your company’s digital world. When you first set up a cloud service, that door might be left slightly ajar. Tenant hardening is about closing it, locking it, and making sure only the right people can get in, with the right permissions.
Why it matters
Most businesses rely on cloud services for daily operations like email, collaboration, and file storage. But here’s the problem: Cloud platforms aren’t fully secure by default. Their out-of-the-box settings prioritise ease and speed, not security. This leaves the door open to risks like:
• Overly broad user permissions
• Weak or missing multi-factor authentication (MFA)
• Unmonitored admin accounts
• Files being shared publicly without realising it
Without hardening, these issues can snowball into serious breaches, data leaks, or compliance headaches.
What does tenant hardening involve?
The process can vary depending on your cloud platform, but the fundamentals are consistent.
• Enable strong authentication. MFA for all users, especially admins
• Review access controls. Give people only the access they need
• Disable unused services or features. Reduce your attack surface
• Set up alerts and monitoring. Know when something unusual happens
• Lock down external sharing. Make sure sensitive data doesn’t walk out the door
• Apply security baselines. Use trusted frameworks like CIS or NCSC guidance
It’s not about making systems harder to use. It’s about building security into how your business operates and reducing the risk of costly mistakes.
How to start tenant hardening
If you’re not sure where to begin, here’s a straightforward starting point. You don’t need to fix everything at once — but you do need to start.
1. Run a basic audit
Check your current cloud tenant settings. Focus on:
• Whether MFA is enabled for all users
• Who has admin-level access
• Any inactive or legacy user accounts
• External file sharing permissions
• Unused apps or services still running
You can often use built-in admin dashboards in Microsoft 365 or Google Workspace to gather this information.
2. Triage the risks
Not all issues need fixing at once. Prioritise:
• Accounts with excessive permissions
• Lack of MFA
• Active global admin roles
• Data that’s publicly shared without controls
Start with the areas that pose the highest risk to the business.
3. Apply recommended security baselines
Use industry frameworks or vendor best practices.
For Microsoft 365, look at:
• Microsoft Secure Score
• CIS Benchmarks
• NCSC Cloud Security Guidance
These tools will highlight weaknesses and suggest practical, step-by-step actions.
4. Document what you’re doing
Keep track of what’s been reviewed, changed, or needs follow-up. This helps with internal clarity and supports compliance or audit needs.
5. Schedule regular reviews
Make tenant hardening a routine task, not a one-off project. Check in quarterly or biannually to keep your setup aligned with how the business operates.
How long does it take?
For a medium-sized business, tenant hardening can typically take between one and four weeks, depending on complexity, existing configuration, and internal resource availability. Some basics, like enabling MFA and restricting file sharing, can be tackled in just a few days.
It’s not a once-and-done task either. It should be part of a regular review cycle to keep your defences sharp as your business grows and changes.
Is this just for big buinesses?
Not at all. In fact, small businesses are often more exposed because they assume they’re “too small to target” or don’t have the time or expertise to secure their systems.
Whether you’re a 5-person startup or a 500-person company, tenant hardening is essential. If your team relies on cloud services, you’re carrying sensitive data. That data needs protecting.
Cybercriminals don’t discriminate by company size. They look for the easiest way in. Don’t make it easy.
Questions to ask your technical team:
If you’re not directly managing your cloud environment, start the conversation. Ask your IT team, provider, or technical lead:
• Have we hardened our Microsoft 365 or Google Workspace tenant?
• Is multi-factor authentication enabled for all users, including admins?
• Who has global or admin-level access, and how is that monitored?
• Are we applying recommended security baselines or frameworks?
• Can any files or folders be shared outside the business without approval?
• Do we get alerted when something suspicious happens, like unusual logins?
• When was the last time we reviewed our cloud configuration?
You don’t need to be a security expert to ask smart questions. A short conversation now could prevent a much longer one later, involving legal, compliance, or incident response teams.
If you're a technical lead looking for buy-in:
If you’re responsible for IT or security, you probably already know the gaps that need closing. But getting time, resource, or budget for tenant hardening can be tricky, especially when the threat feels invisible, or the system seems to be “working fine.”
Here’s how to frame the conversation with decision-makers:
• “Our cloud environment is operational, but not secure by design.” Most platforms aren’t locked down out of the box. That leaves a gap between functionality and protection.
• “Tenant hardening isn’t about buying new tools, it’s about configuring what we already have.” This is a low-cost, high-impact exercise that protects our data and reputation.
• “A breach doesn’t start with ransomware. It starts with one weak setting.” Admin accounts without MFA, files shared externally, or overly broad permissions are all common causes.
• “We’re not too small to be targeted. We’re too exposed not to be.” SMEs and mid-sized businesses are often seen as easier targets because attackers know resources are stretched.
• “This work doesn’t slow down the business. It keeps it running safely.” A well-hardened tenant reduces downtime risk, lowers insurance exposure, and keeps us compliant.
And finally, make it real.
• Share a quick audit or example of current risks (for example, how many inactive accounts still have access)
• Show how long it would take to complete
• Tie it to business risk, not just IT hygiene
This isn’t a “nice-to-have”. It’s a foundational step in protecting the business from modern threats using the platforms it already relies on.
Our final thought:
Tenant hardening isn’t about overengineering your IT setup. It’s about configuring your cloud tools in a way that makes sense for your business, not just running them as-is.
If you’ve purchased Microsoft products and deployed them straight out of the box, ask yourself:
Did you configure them for your business, from a security point of view?
Because default settings aren’t built for your risks. You are.
